ISO-42001
ISO/IEC 42001:2023 — AI Management Systems
- I. ISO/IEC 42001:2023 AI Management System Requirements
- Ch. I — Context, Leadership, and Planning (Clauses 4-6)
- Art. 4.1. Understanding the organization and its context (8)
- Art. 4.2. Understanding the needs and expectations of interested parties (4)
- Art. 4.3. Determining the scope of the AI management system (9)
- Art. 4.4. AI management system (12)
- Art. 5.1. Leadership and commitment (10)
- Art. 5.2. AI policy (8)
- Art. 5.3. Roles, responsibilities and authorities (10)
- Art. 6.1.1. General (actions to address risks and opportunities) (7)
- Art. 6.1.2. AI risk assessment (13)
- Art. 6.1.3. AI risk treatment (6)
- Art. 6.1.4. AI system impact assessment (5)
- Art. 6.2. AI objectives and planning to achieve them (12)
- Art. 6.3. Planning of changes (7)
- Ch. II — Support and Operation (Clauses 7-8)
- Art. 7.1. Resources (9)
- Art. 7.2. Competence (5)
- Art. 7.3. Awareness (6)
- Art. 7.4. Communication (3)
- Art. 7.5. Documented information (9)
- Art. 8.1. Operational planning and control (10)
- Art. 8.2. AI risk assessment (operational) (6)
- Art. 8.3. AI risk treatment (operational) (6)
- Art. 8.4. AI system impact assessment (operational) (13)
- Ch. III — Performance Evaluation and Improvement (Clauses 9-10)
- Art. 9.1. Monitoring, measurement, analysis and evaluation (4)
- Art. 9.2. Internal audit (10)
- Art. 9.3. Management review (10)
- Art. 10.1. Continual improvement (9)
- Art. 10.2. Nonconformity and corrective action (10)
- Ch. IV — Annex A Controls — Policies and Organization (A.2-A.3)
- Art. A.2.2. AI Policy (9)
- Art. A.2.3. Responsible AI Topics in AI Policy (4)
- Art. A.3.2. Roles and Responsibilities for AI (6)
- Art. A.3.3. Reporting of AI Concerns (9)
- Art. A.3.4. Impact of Organizational Changes (6)
- Ch. V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
- Art. A.4.2. Resources Related to AI Systems (5)
- Art. A.4.3. Competencies Related to AI Systems (4)
- Art. A.4.4. Awareness of Responsible Use of AI Systems (4)
- Art. A.4.5. Consultation (6)
- Art. A.4.6. Communication About the AI System (6)
- Art. A.5.2. AI System Risk Assessment (5)
- Art. A.5.3. AI System Impact Assessment (8)
- Art. A.5.4. Impact of AI System Documentation (4)
- Ch. VI — Annex A Controls — AI System Life Cycle (A.6)
- Art. A.6.2.2. Design and Development of AI System (5)
- Art. A.6.2.3. Training and Testing AI Model (14)
- Art. A.6.2.4. Verification and Validation of AI System (7)
- Art. A.6.2.5. Deployment of AI System (10)
- Art. A.6.2.6. Operation and Monitoring of AI System (10)
- Art. A.6.2.7. Retirement of AI System (10)
- Art. A.6.2.8. Responsible AI System Integration (9)
- Art. A.6.2.9. AI System Documentation (7)
- Art. A.6.2.10. Defined Use and Misuse of AI System (5)
- Art. A.6.2.11. Management of Third-Party AI System Components (6)
- Ch. VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
- Art. A.7.2. Data for Development and Enhancement of AI System (11)
- Art. A.7.3. Data Quality for ML and Data for AI System (11)
- Art. A.7.4. Data Preparation (11)
- Art. A.7.5. Data Acquisition and Collection (6)
- Art. A.7.6. Data Provenance (7)
- Art. A.8.2. Informing Interested Parties About AI System Interaction (6)
- Art. A.8.3. Informing Interested Parties About AI Outcomes (4)
- Art. A.8.4. Access to Information About AI System Interaction (5)
- Art. A.8.5. Enabling Appropriate Human Actions in Response to AI Outputs (7)
- Art. A.9.2. Objectives for Responsible Use of AI System (6)
- Art. A.9.3. Intended Use of AI System (4)
- Art. A.9.4. Processes for Responsible Use of AI System (7)
- Art. A.9.5. Human Oversight Aspects (11)
- Art. A.10.2. Suppliers of AI System Components (8)
- Art. A.10.3. Shared ML Models (14)
- Art. A.10.4. Provision of AI System to Third Parties (5)
Title I — ISO/IEC 42001:2023 AI Management System Requirements
Chapter I — Context, Leadership, and Planning (Clauses 4-6)
Chapter II — Support and Operation (Clauses 7-8)
Chapter III — Performance Evaluation and Improvement (Clauses 9-10)
Chapter IV — Annex A Controls — Policies and Organization (A.2-A.3)
Article A.2.2. AI Policy
2 obligations
ISO42001-A.2.2-01
Requirement
Establish AI Policy
The organization must establish an AI policy that is appropriate to its purpose and provides a framework for setting AI
ISO42001-A.2.2-02
Requirement
Define Commitment to Responsible AI
The AI policy must define the organization's commitment to the responsible development, deployment, and use of AI system
Chapter V — Annex A Controls — Resources and Impact Assessment (A.4-A.5)
Chapter VI — Annex A Controls — AI System Life Cycle (A.6)
Chapter VII — Annex A Controls — Data, Information, and Relationships (A.7-A.10)
Article A.10.2. Suppliers of AI System Components
4 obligations
ISO42001-A.10.2-05
Requirement
Include audit rights in supplier agreements
The organization must ensure that supplier agreements include provisions for audit rights, allowing the organization to
ISO42001-A.10.2-06
Requirement
Include incident notification obligations in supplier agreements
The organization must ensure that supplier agreements include specific obligations for suppliers to notify the organizat
ISO42001-A.10.2-07
Data Governance
Include data and IP handling provisions in supplier agreements
The organization must ensure that supplier agreements address the handling of data and intellectual property by supplier
ISO42001-A.10.2-08
Monitoring
Monitor supplier performance throughout relationship duration
The organization must continuously monitor supplier performance and compliance with agreed requirements for the entire d
Article A.10.3. Shared ML Models
14 obligations
ISO42001-A.10.3-01
Requirement
Establish controls for shared ML models
The organization must establish controls for the use and sharing of machine learning models, including pre-trained model
ISO42001-A.10.3-02
Risk Management
Assess shared models for quality before integration
Controls must address the assessment of shared models for quality before integration into the organization's AI systems.
ISO42001-A.10.3-03
Risk Management
Assess shared models for bias before integration
Controls must address the assessment of shared models for bias before integration into the organization's AI systems.
ISO42001-A.10.3-04
Risk Management
Assess shared models for security vulnerabilities before integration
Controls must address the assessment of shared models for security vulnerabilities before integration into the organizat
ISO42001-A.10.3-05
Risk Management
Assess shared models for fitness for purpose before integration
Controls must address the assessment of shared models for fitness for purpose before integration into the organization's
ISO42001-A.10.3-06
Documentation
Maintain documentation of shared model provenance
The organization must maintain documentation of the provenance of shared models.
ISO42001-A.10.3-07
Documentation
Maintain documentation of shared model training data characteristics
The organization must maintain documentation of the training data characteristics of shared models.
ISO42001-A.10.3-08
Documentation
Maintain documentation of shared model known limitations
The organization must maintain documentation of the known limitations of shared models.
ISO42001-A.10.3-09
Documentation
Maintain documentation of shared model performance characteristics
The organization must maintain documentation of the performance characteristics of shared models.
ISO42001-A.10.3-10
Transparency
Provide documentation when sharing models externally
When sharing models externally, the organization must provide appropriate documentation.
ISO42001-A.10.3-11
Transparency
Provide usage guidance when sharing models externally
When sharing models externally, the organization must provide usage guidance.
ISO42001-A.10.3-12
Requirement
Establish agreements governing terms of use for external model sharing
When sharing models externally, the organization must establish agreements governing the terms of use.
ISO42001-A.10.3-13
Requirement
Establish agreements governing liability for external model sharing
When sharing models externally, the organization must establish agreements governing liability.
ISO42001-A.10.3-14
Requirement
Establish agreements governing support for external model sharing
When sharing models externally, the organization must establish agreements governing support.
Article A.10.4. Provision of AI System to Third Parties
5 obligations
ISO42001-A.10.4-01
Requirement
Establish processes for responsible AI system provision to third parties
The organization must establish formal processes specifically designed for the responsible provision of AI systems or AI
ISO42001-A.10.4-02
Transparency
Provide comprehensive AI system information to third parties
The organization must provide third parties with sufficient information about the AI system, covering its intended use,
ISO42001-A.10.4-03
Requirement
Establish responsibility-defining agreements with third parties
The organization must establish formal agreements that clearly define the respective responsibilities of both the organi
ISO42001-A.10.4-04
Risk Management
Consider potential for third-party misuse
The organization must actively consider and assess the potential for misuse of AI systems by third parties as part of th
ISO42001-A.10.4-05
Risk Management
Implement controls to mitigate third-party misuse risks
The organization must implement appropriate controls to mitigate the risks associated with potential misuse of AI system